pool/rust-keylime
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1072170 from home:aplanas:branches:security

Browse Source 
- Add keylime-ima-policy subpackage to provide a better IMA policy

OBS-URL: https://build.opensuse.org/request/show/1072170
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=43
This commit is contained in:
Alberto Planas 2023-03-15 16:47:53 +00:00 committed by Git OBS Bridge
parent 12219c580f
commit 8f23d7d2e7
5 changed files with 1139 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
README.suse Normal file
View File

@ -0,0 +1,55 @@
# Notes about the IMA policy
This IMA policy is provided as an example that can be later adapted to
more specific usage.
This was generated from a default tcb IMA policy from a 6.1.12 Linux
kernel, and extended with SELinux file types to filter out the part of
the system that we usually do not want to measure.
To use this policy, we need to copy it in "/etc/ima/ima-policy" and
systemd will load it after the SELinux policy has been loaded.
For this example, we used the initial set of SELinux attributes, that
group the file types under categories. From that list we selected
some of those attribute to deep more into the types that can be relevant for the IMA policy:
seinfo -a
The current selection cover full or partially the types under those
attributes:
base_file_type
base_ro_file_type
configfile
file_type
files_unconfined_type
init_script_file_type
init_sock_file_type
lockfile
logfile
non_auth_file_type
non_security_file_type
openshift_file_type
pidfile
pulseaudio_tmpfsfile
security_file_type
setfiles_domain
spoolfile
svirt_file_type
systemd_unit_file_type
tmpfile
tmpfsfile
Special mention to non_auth_file_type and non_security_file_type
(among other liske logfile or tmpfile), that should cover the most
relevant types of the dynamic part of the system.
The list should also include types from other attributes like
virt_image_type and others (see the policy file comments from a
complete list).
Sometimes is important to see what files are labeled under a specific
type, and for that we can use this:
semanage fcontext -l | grep $TYPE

1048
ima-policy Normal file
View File

File diff suppressed because it is too large Load Diff

13
ima-policy.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Load the IMA Policy
[Service]
Type=oneshot
RemainAfterExit=yes
Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
Environment=IMA_POLICY=/etc/ima/ima-policy
ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
TimeoutStartSec=0
[Install]
WantedBy=basic.target

5
rust-keylime.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
- Add keylime-ima-policy subpackage to provide a better IMA policy
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 02 15:12:27 UTC 2023 - aplanas@suse.com Thu Mar 02 15:12:27 UTC 2023 - aplanas@suse.com

17
rust-keylime.spec
View File

@ -36,6 +36,8 @@ Source2: cargo_config
Source3: keylime.xml Source3: keylime.xml
Source4: keylime-user.conf Source4: keylime-user.conf
Source5: tmpfiles.keylime Source5: tmpfiles.keylime
Source6: ima-policy
Source7: ima-policy.service
# PATCH-FIX-OPENSUSE keylime-agent.conf.diff # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
Patch1: keylime-agent.conf.diff Patch1: keylime-agent.conf.diff
BuildRequires: cargo-packaging BuildRequires: cargo-packaging
@ -48,6 +50,7 @@ BuildRequires: tpm2-0-tss-devel
Requires: libtss2-tcti-device0 Requires: libtss2-tcti-device0
Requires: logrotate Requires: logrotate
Requires: tpm2.0-abrmd Requires: tpm2.0-abrmd
Recommends: keylime-ima-policy
Provides: user(keylime) Provides: user(keylime)
%sysusers_requires %sysusers_requires
# Disable this line if you wish to support all platforms. In most # Disable this line if you wish to support all platforms. In most
@ -59,6 +62,12 @@ Provides: user(keylime)
Rust implementation of keylime agent. Keylime is system integrity Rust implementation of keylime agent. Keylime is system integrity
monitoring system. monitoring system.
%package -n keylime-ima-policy
Summary: IMA policy for Keylime agent
%description -n keylime-ima-policy
Subpackage of %{name} to provide an suggested IMA policy for Keylime agent
%prep %prep
%autosetup -a1 -p1 %autosetup -a1 -p1
mkdir .cargo mkdir .cargo
@ -91,6 +100,9 @@ install -d %{buildroot}%{_libexecdir}/keylime
# Create work directory and the certificate directory # Create work directory and the certificate directory
mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
# %_check # %_check
# %_{cargo_test} # %_{cargo_test}
@ -131,4 +143,9 @@ mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca
%files -n keylime-ima-policy
%dir %attr(0750,root,root) %{_sysconfdir}/ima
%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
%{_unitdir}/ima-policy.service
%changelog %changelog